US2008016314A1PendingUtilityA1
Diversity-based security system and method
Est. expiryJul 12, 2026(~0 yrs left)· nominal 20-yr term from priority
H04L 63/1441G06F 12/1408G06F 21/126G06F 12/0223G06F 21/52G06F 21/125G06F 21/554G06F 21/56G06F 21/12G06F 21/54
38
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
The prevalence of identical vulnerabilities across software monocultures has emerged as the biggest challenge for protecting the Internet from large-scale attacks against system applications. Artificially introduced software diversity provides a suitable defense against this threat, since it can potentially eliminate common-mode vulnerabilities across these systems. Systems and methods are provided that overcomes these challenges to support address-space randomization of the Windows® operating system. These techniques provide effectiveness against a wide range of attacks.
Claims
exact text as granted — not AI-modified1 . A computer-implemented method of providing address-space randomization for a Windows® operating system in a computer system, the method comprising the steps of:
rebasing system dynamic link libraries (DLLs); rebasing a Process Environment Block (PEB) and a Thread Environment Block (TEB); and randomizing a user mode process by hooking functions that set-up internal memory structures for the user mode process, wherein randomized internal memory structures, the rebased system DLLs, rebased PEB and rebased TEB are each located at different addresses after said respective rebasing step providing a defense against a memory corruption attack and enhancing security of the user mode process in the computer system by generating an alert or defensive action upon an invalid access to a pre-rebased address.
2 . A computer-implemented method of providing address-space randomization for a Windows® operating system in a computer system, comprising the steps of:
rebasing a system dynamic link library (DLL) from an initial DLL address to another address, in kernel mode; rebasing a Process Environment Block (PEB) and Thread Environment Block (TEB) from an initial PEB and initial TEB address to different PEB address and different TEB address, in kernel mode; rebasing a primary heap from an initial primary heap address to a different primary heap address, from kernel mode, wherein access to any one of: the initial DLL address, the initial PEB address, the initial TEB address, and initial primary heap address causes an alert or defensive action in the computer system.
3 . The computer-implemented method of claim 2 , further comprising the step of injecting a user mode DLL at a process start time.
4 . The computer-implemented method of claim 2 , wherein at least one of the rebasing steps includes hooking functions that perform DLL mapping.
5 . The computer-implemented method of claim 2 , wherein at least one of the steps for rebasing includes hooking functions that performs thread creation.
6 . The computer-implemented method of claim 2 , wherein at least one of the steps for rebasing includes hooking functions that performs heap creation.
7 . The computer-implemented method of claim 2 , wherein at least one of the steps for rebasing includes hooking functions that creates and manipulates heap blocks.
8 . The computer-implemented method of claim 2 , wherein at least one of the steps for rebasing includes hooking functions that creates a child process.
9 . The computer-implemented method of claim 2 , wherein at least one step for rebasing includes hooking functions and the hooking provides a wrapper around the real function, the wrapper changing parameters to cause randomizing of a user mode process.
10 . The computer-implemented method of claim 9 , wherein the step of hooking checks application specific-settings to determine which functions to hook.
11 . The computer-implemented method of claim 2 , wherein at least one step for rebasing includes at least any one of:
randomizing a DLL Base when a DLL is loaded resulting in a rebased DLL, randomizing a thread stack when a new thread is created resulting in a rebased thread stack, randomizing a heap base when a heap is created resulting in a rebased heap, adding a guard around a heap block when the heap block is allocated, and randomizing a primary stack by invoking a customized loader to create a process.
12 . The computer-implemented method of claim 11 , wherein the rebased DLL, the rebased thread stack, and the rebased heap base are each located at different address after the respective randomizing step providing a defense against memory corruption attacks and enhancing security of a user mode process in the computer system.
13 . The computer-implemented method of claim 2 , further comprising the steps of:
failing and crashing a process associated with a first instance of the memory corruption attack; learning from the attack and generating a signature to block a further similar attack.
14 . The computer-implemented method of claim 13 , further comprising the step of building an input function interceptor and maintaining recent input history in memory to facilitate the learning and for generating a vulnerability based signature to block a further similar attack.
15 . The computer-implemented method according to claim 2 , wherein at least one step for rebasing is configured to check an application setting to determine whether to perform the at least one step for rebasing and by-passing at least a portion of the at least one step for rebasing based on the application setting.
16 . The computer-implemented method of claim 15 , wherein the at least one step for rebasing includes randomizing a thread stack when a thread is created based on the application setting.
17 . The computer-implemented method of claim 15 , wherein the at least one step for rebasing includes randomizing a heap base based on the application setting.
18 . The computer-implemented method of claim 15 , wherein the at least one step for rebasing includes adding a guard around a heap block during allocation of the heap block, based on the application setting.
19 . The computer-implemented method of claim 2 , wherein the step for rebasing primary heaps from kernel mode includes hooking a system call for ZwAllocateVirtualMemory.
20 . The computer-implemented method of claim 19 , further comprising the steps of:
for a created process whose application setting has primary heap base randomization turned on, and when CreateProcess callback is invoked for the newly created process, randomizing a memory location associated with ZwAllocateVirtualMemory for the MEM_RESERVED type of allocations; and stopping randomization when Load Image callback is invoked for the created process.
21 . The computer-implemented method of claim 20 , wherein the CreateProcess has a family function wrapper, further comprising the step of invoking a customized loader by calling the customized loader program, the customized loader program configured to perform execution of the steps of:
parse a command line to get a real program name and original command line; examining the original program executable relocation section and statically linked dependent DLLs; optionally rebasing the executable relocation section if the relocation section is available and optionally rebasing the statically linked dependents DLLs for maximum randomization; calling ZwCreateProcess in NTDLL to create a process object; calling ZwAllocateVirtualMemory to allocate memory for a stack in a randomized location; call ZwCreateThread to associate the thread with the stack and attach it with the process object; and setting the created process object to start running by calling ZwResumeThread.
22 . A computer-implemented method to perform runtime stack inspection for stack buffer overflow early detection during a computer system attack, the method comprising the steps of:
hooking a memory sensitive function at DLL load time based on an application setting, the memory sensitive function including a function related to any one of: a memcpy function family, a strcpy function family, and a printf function family; detecting a violation of a memory space during execution of the hooked memory sensitive function; and reacting to the violation by generating an alert or preventing further action
by a process associated with the hooked function in the computer system.
23 . The computer-implemented system of claim 22 , wherein at least one of the steps for hooking, detecting and reacting occur in a Windows® operating system.
24 . A computer-implemented method to perform Exception Handler (EH) based access validation and for detecting a computer attack, the method comprising steps:
providing a Exception Handler to a EH list in a computer system employing a Windows® operating system and keeping the provided Exception Handler (EH) as the first EH in the list; making a copy of a protected resource; changing a pointer to the protected resource to a erroneous or normally invalid value so that access of the protected resource generates an access violation; upon the access violation, validating if an accessing instruction is from a legitimate resource having an appropriate permission; if the step of validating fails to identify a legitimate resource as a source of the access violation, raising an attack alert.
25 . The computer-implemented method of claim 24 , wherein if the step of validating identifies a legitimate resource, further comprising the step of restoring execution context and continuing execution with a known valid value.
26 . The computer-implemented method of claim 25 , wherein the step of restoring the execution context includes:
inspecting one or more common purpose registers; identifying one of the one or more registers having a value close to a known bad value identified by the EH; and replacing the contents of the identified register with a known valid value.
27 . The computer-implemented method of claim 24 , wherein if the step for validating fails to identify a legitimate resource as the source of the access violation, starting a vulnerability analysis.
28 . The computer-implemented method of claim 24 , wherein the method to perform Exception Handler (EH) based access validation detects attacks by protecting any one of the following protected resources:
a PEB/TEB data member; a Process parameter and Environment variable blocks; an Export Address Table (EAT); a Structured Exception Handler (SEH) frame; and an Unhandled Exception Filter (UEF).
29 . A computer implemented method to inject a user mode DLL into a newly created process at initialization time of the process in a computer system employing a Windows® operating system to prevent computer attacks, the method comprising steps of:
finding or creating a kernel memory address that is shared in user mode by mapping the kernel memory address to a virtual address in a user mode address space of a process; copying instructions in binary form that calls user mode Load Library to the found or created kernel mode address from kernel driver creating shared Load Library instructions; and queuing an user mode APC call to execute the shared Load Library instructions from user address space of a desired process when it is mapping kernel 32 DLL.
30 . A system for providing address-space randomization for a Windows® operating system in a computer system, comprising:
means for rebasing a system dynamic link library (DLL) from an initial DLL address to another address, at kernel mode; means for rebasing a Process Environment Block (PEB) and Thread Environment Block (TEB) from an initial PEB and initial TEB address to different PEB address and different TEB address, at kernel mode; and means for rebasing a primary heap from an initial primary heap address to a different primary heap address, from kernel mode, wherein access to any one of: the initial DLL address, the initial PEB address, the initial TEB address, and initial primary heap address causes an alert or defensive action in the computer system.
31 . The system for providing address-space randomization of claim 30 , further comprising means for injecting a user mode DLL at a process start time.
32 . The system for providing address-space randomization of claim 30 , wherein at least one of the rebasing steps includes means for hooking functions that perform DLL mapping.
33 . The system for providing address-space randomization of claim 30 , wherein at least one of the means for rebasing includes means for hooking functions that performs thread creation.
34 . The system for providing address-space randomization of claim 30 , wherein at least one of the means for rebasing includes means for hooking functions that performs heap creation.
35 . The system for providing address-space randomization of claim 30 , wherein at least one of the means for rebasing includes means for hooking functions that creates and manipulates heap blocks.
36 . The system for providing address-space randomization of claim 30 , wherein at least one of the means for rebasing includes means for hooking functions that creates a child process.
37 . The system for providing address-space randomization of claim 30 , wherein at least one means for rebasing includes means for hooking functions and the hooking provides a wrapper around the real function, the wrapper changing parameters to cause randomizing of a user mode process.
38 . The system for providing address-space randomization of claim 30 , wherein the means for hooking checks application specific settings to determine which functions to hook.
39 . A computer-implemented method of providing address-space randomization for an operating system in a computer system, comprising at least any one of the steps a) through e):
a) rebasing one or more application dynamic link libraries (DLLs); b) rebasing thread stack and randomizing its starting frame offset; c) rebasing one or more heap; d) rebasing a process parameter environment variable block; e) rebasing primary stack with customized loader; and wherein at least any one of: the rebased application DLLs, rebased thread stack and its starting frame offset, rebased heap base, the rebased process parameter environment variable block, the rebased primary stack are each located at different memory address away from a respective first address prior to rebasing, and after said respective rebasing step, an access to any first respective address causes an alert or defensive action in the computer system.
40 . The computer-implemented method of claim 39 , further comprising the step of adding a protecting guard around heap blocks at user mode.
41 . The computer-implemented method of claim 39 , wherein the operating system is a Windows® operating system.
42 . The computer-implemented method of claim 39 , wherein the at least any one of the steps a) through e) for rebasing occurs in user mode.
43 . A computer program product having computer code embedded in a computer readable medium, the computer code configured to execute the following at least any one of the steps a) through e):
a) rebasing one or more application dynamic link libraries (DLLs); b) rebasing thread stack and randomizing its starting frame; c) rebasing one or more heap; d) rebasing a process parameter environment variable block; e) rebasing primary stack with customized loader; and wherein at least any one of: the rebased application DLLs, rebased thread stack and its starting frame offset, rebased heap base, the rebased process parameter environment variable block, the rebased primary stack are each located at different memory address away from a respective first address prior to rebasing, and after said at least any one of the steps a) through e), an access to any first respective address causes an alert or defensive action in the computer system.
44 . The computer program product of claim 43 , wherein the program code is configured to execute the additional step of adding a protecting guard around heap blocks at user mode.
45 . The computer program product of claim 43 , wherein the program code is configured to execute in a Windows® operating system environment.
46 . The computer program product of claim 43 , wherein the at least any one of the steps a) through e) for rebasing occurs in user mode.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.